> _Drafted from the author's summary, not a diff — verify file lists, package boundaries, and severity before opening._ # feat(auth)!: migrate authentication from custom JWT to Auth0 ## Summary ⚠️ **Breaking change.** Replaces the in-house JWT issuance and verification stack with Auth0 as the identity provider across the React client and Express API. This unlocks a single source of truth for user identity (MFA, social login, password reset, audit logs all move out of our codebase) and removes a class of bugs we've been carrying in the custom JWT layer. ⚠️ Large PR — ~30 files spanning client and server. Reviewer should consider whether the server-side verification swap and the client-side login flow can be reviewed (or even split) as separate seams; they are coupled at the token-shape level but otherwise independent. ## What changed - **Server (Express):** swap custom JWT signing/verification middleware for Auth0 JWKS-based verification (likely `express-oauth2-jwt-bearer` or `express-jwt` + `jwks-rsa`). The `/auth/login`, `/auth/refresh`, and `/auth/logout` handlers either delegate to Auth0 or are removed; protected routes now read `req.auth` (or equivalent) from the Auth0 middleware instead of the previous custom claims object. - **Client (React):** integrate the Auth0 SDK (likely `@auth0/auth0-react`), wrap the app in `Auth0Provider`, replace the bespoke login form with `loginWithRedirect`, and route token attachment through `getAccessTokenSilently` instead of reading from `localStorage`/cookies. - **Session + token storage:** custom refresh-token rotation logic removed; Auth0 silent renewal takes over. Any direct reads of `localStorage.token` (or cookie equivalents) replaced with the SDK's accessor. - **User model mapping:** map Auth0's `sub` claim to the existing internal user id (reviewer should confirm: is there a migration/backfill, or are existing users matched by email?). (continues)